This is an example of creating Kubernetes MutatingWebhook with v1 version of
the AdmissionRegistration API - admissionregistration.k8s.io/v1
.
The webhook Pod is created as a set of two containers - an init container and webhook container. The init container creates the self-signed CA, server key/certificate, registers the mutatingwebhookconfiguration object, and creates a Secret object with the server key/certificate. The webhook container mounts this Secret as a Volume and serves the webhook endpoint.
Check mutatingwebhook.yaml to see the Kubernetes resources and actions that will be intercepted by this mutating webhook.
At CloudARK, our KubePlus Operator depends
on a working MutatingWebhook setup. When we started building KubePlus,
the AdmissionRegistration API was still in v1beta1
version. We built our webhook
using the spec properties and features available in that version. This worked till Kubernetes
versions < 1.22 were still around in public cloud providers. Lately though, we started
observing that public cloud providers have moved to Kubernetes versions 1.22 and above.
These versions do not serve the v1beta1
version of the AdmissionRegistration API anymore.
So we had to migrate our webhook to use the v1
version of AdmissionRegistration API.
The path to reach there was not straightforward. When we had built the original webhook,
we had depended on the excellent example available at [1]. So our first approach was to
try to modify that to use the v1 API instead of the v1beta1 API. However, we ran into several
problems in this approach. The v1 registration API has made certain fields in the CSR object
compulsory. One of them is the signerName. We tried using kubernetes.io/kubelet-serving
,
kubernetes.io/kube-apiserver-client
. But both of these did not work. Turns out the simplest
approach is to create a self-signed CA and use it's certificate to sign the key of the webhook server [2,3,4].
- Create a Minikube cluster with Kubernetes version >= v1.22.0
minikube start
eval $(minikube docker-env)
- Check that the cluster has admissionregistration.k8s.io/v1 endpoint
kubectl api-versions
-
Install Golang >= 1.12
-
Set Environment Variables
GO111MODULE=on
GOPATH=<Path to your go workspace>
GOOS=linux
- Build the executable
go get github.com/googleapis/gnostic@v0.4.0
go build .
- Build containers
docker build -t mwh -f Dockerfile.mwh .
docker build -t mwh-setup .
- Deploy the Webhook
kubectl create -f deploy-mwh.yaml
until kubectl get pods | grep test-mwh-deployment | grep Running; do echo "Waiting for MutatingWebhook Pod to become ready"; sleep 1; done
- Test creating a namespace
kubectl create ns ns1
- Verify that the create request was intercepted
kubectl get pods | grep test-mwh-deployment | awk '{print $1}' | xargs kubectl logs -c crd-hook
- Cleanup
kubectl delete mutatingwebhookconfigurations test-mwh
kubectl delete -f deploy-mwh.yaml
- Minikube - Server version v1.21.0, July 28, 2022
If you try the code, we would love to hear from you. Please consider opening a PR with the information about the platform that you tested on. We would like to improve the list of Tested on platforms.